18 Password Reset PolicyDetermine categories of users for password reset policySecurity requirementsApplicability of authentication methodsUser language preferenceImplement password reset policy for each category of userFIM resources: set, management policy rule, and workflowEach authentication workflow contains one or more gatesOptionally configure a workflow so that one or more gates apply only to requests from extranet

20 Interactive Registration – QA GateAdmin can configure number of questions user can choose from, and the minimum number user must answer to registerUser sees admin-defined questions and enters answers to questionsFIM Service salts and hashes user’s registration data, then stores it in Gate Registration object (internal)

21 QA Gate Configuration Number of questions in the gateshown to the userrequired for registrationrequired for resetAllowed answersText to describe allowed answers to users

25 One-Time Password SMS GateWindows ServerFIM ServiceFIMOTP SMS GateSMS Provider DLLSMS ProviderUser’s Cellular Service ProviderUser’sCellphoneChoose an SMS provider and establish a service relationshipGet documentation for the protocol/API which is implemented by the SMS service providerWrite SMS Provider to target this protocol/APICompile this code into a DLL with a specific filenameDeploy this DLL to the host of the FIM Service machine into a specific location

27 Programmatic RegistrationAdministrators can programmatically register or unregister a user from an authentication workflowImplementation: PowerShell cmdletsDeployed with FIM Service component, in FIMAutomation PsSnapin

28 New cmdlets Get-AuthenticationWorkflowRegistrationTemplateRegister-AuthenticationWorkflowUnregister-AuthenticationWorkflowConfirm-AuthenticationWorkflowRegistrationPurposeGets template for an authentication workflowRequired ParametersAuthenticationWorkflowNamePurposeRegisters one user for one authentication workflowRequired ParametersUserName, AuthenticationWorkflowNamePurposeUnregisters one user from one authentication workflowRequired ParametersUserName, AuthenticationWorkflowNamePurposeReturns true if the specified user is registered for the specified workflow, otherwise returns falseRequired ParametersUserName, AuthenticationWorkflowName

30 Example – Register during OnboardingScenarioOrganization has existing business process that collects all data needed for password resetGoalRegister existing and new users for FIM Password Reset without user interactionApproachNew usersScript to get new/updated data & invoke the Register-AuthenticationWorkflow cmdlet

31 Example – Deregistration and RenewalScenarioOrganization wants users to periodically re-register for FIM Password ResetGoalCause users to be prompted for re-registration on a defined scheduleApproachImplement a process to identify users who are targeted for reregistrationSchedule periodic run of a script to deregister targeted users

33 Password Portal Customization - LayoutCreate Customizations folders for both portalsDefault is “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset” and “C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Registration”Make a new Theme using CSSCreate a style.css file in the Customizations folderAny .css rule in this Customizations\style.css will override the default css for the Password PortalsDocumentation on TechNet describes which css elements are supported for customization:Example: change the logoCreate a logo (e.g., mylogo.png) in the Customizations folderCreate a style.css file in the Customizations folder with this content:.title-block { background:url(../Customizations/mylogo.png) no-repeat scroll 0 0 transparent; }